[pve-devel] applied: [PATCH proxmox-firewall] firewall: apply `nt_conntrack_allow_invalid` option to guest table
Thomas Lamprecht
t.lamprecht at proxmox.com
Sun Nov 17 15:34:19 CET 2024
Am 15.11.24 um 16:30 schrieb Hannes Laimer:
> So it behaves the same way the 'old' firewall did. Since currently
> ct state invalid are always dropped on the guest table, regardless
> of the option. The host behaviour is not changed as it would
> require `forward` to match the 'old' behaviour.
>
> Signed-off-by: Hannes Laimer <h.laimer at proxmox.com>
> ---
> based on what @Stefan suggested in response to [1]. This matches what the
> old fw did with this option on vms.
>
> [1] https://lore.proxmox.com/pve-devel/918ffc4c-c371-4d43-8c2c-849e618273b6@proxmox.com/T/#t
>
> .../resources/proxmox-firewall.nft | 4 +++-
> proxmox-firewall/src/firewall.rs | 10 ++++++++
> .../integration_tests__firewall.snap | 23 +++++++++++++++++++
> 3 files changed, 36 insertions(+), 1 deletion(-)
>
>
applied, thanks!
I had to resolve some merge conflicts from context changes due to applying
Stefan's proxmox-firewall patches upfront.
More information about the pve-devel
mailing list